> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shoppex.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> 2FA, active sessions, and the audit trail.

Shoppex authentication runs on BetterAuth. Manage your 2FA and sessions from your **profile**
(avatar dropdown top-right → **Profile**, or `/settings/me/profile`). The shop-level audit
trail lives under the **Security** section in the sidebar.

## Two-factor authentication

Open your profile page. Shoppex supports time-based one-time passwords (TOTP) through any
authenticator app — Google Authenticator, Authy, 1Password, Bitwarden, anything that scans a
QR code.

When you enable 2FA, you scan the QR code with your app, enter a code to confirm, and you're
done. Future logins from new devices prompt for the code.

You're given a set of **recovery codes** at enrollment — save those somewhere safe. They're
the only way back in if you lose your phone.

## Active sessions

The session list on your profile page shows every device currently logged in. Revoke an
individual session or sign out everywhere at once. Useful after lost devices or when you've
been working on someone else's machine.

## Audit trail

Every significant action by every teammate is recorded under **Security → Audit Trail**
(`/security/audit`). Each entry captures:

* Who acted (user ID).
* What they did (action name, resource type, resource ID).
* When (timestamp).
* From where (IP and user agent).
* What changed (before/after data for updates).

Filter by user, action type, or date range. The log is retained indefinitely.

## Account recovery

If you lose access to both your password and your 2FA device, identity verification can
recover the account. Reach out via the [Shoppex Discord](https://discord.gg/VjrptT6Nvx) or
[Telegram](https://t.me/shoppexhq) — we'll verify ownership and walk you through the recovery
flow.
